7858e0109826f2fa535df97adc61f732dae57030809d32c9aa0175f3e181686a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
Size

4.6MB
MD5

cde50430be06aadb006fa52c27b716ea
SHA1

99a96c2e500a258e200d64468353d347cde8ba18
SHA256

7858e0109826f2fa535df97adc61f732dae57030809d32c9aa0175f3e181686a
SHA512

f3fb3b59cc5e9d1f7a8298c36bf6221c95cdc041de21399aaa1fa709133552f3e2b8d28be4836755d0a587282a1aeed4dca29e007e439fba08f1ec0645b89983
SSDEEP

98304:X2D8siFIIm3Gob5iE6RVlbnP9WXW7H6C:X2D8j+7GyIE6HBVH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1348	alg.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
4732	fxssvc.exe
4716	elevation_service.exe
2572	elevation_service.exe
4656	maintenanceservice.exe
4496	msdtc.exe
2360	OSE.EXE
4744	PerceptionSimulationService.exe
3220	perfhost.exe
1180	locator.exe
5100	SensorDataService.exe
1056	snmptrap.exe
3948	spectrum.exe
2136	ssh-agent.exe
1716	TieringEngineService.exe
2176	AgentService.exe
1088	vds.exe
4504	vssvc.exe
3912	wbengine.exe
1808	WmiApSrv.exe
3308	SearchIndexer.exe
5192	chrmstp.exe
5300	chrmstp.exe
5484	chrmstp.exe
5468	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dcc3c9b8b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000469f83ed5fb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a9da2ed5fb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000469f83ed5fb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002861c6ed5fb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bec76bed5fb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7b639ed5fb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1868	chrome.exe
1868	chrome.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
4212	chrome.exe
4212	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4176	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
Token: SeTakeOwnershipPrivilege	1480	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
Token: SeAuditPrivilege	4732	fxssvc.exe
Token: SeRestorePrivilege	1716	TieringEngineService.exe
Token: SeManageVolumePrivilege	1716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2176	AgentService.exe
Token: SeBackupPrivilege	4504	vssvc.exe
Token: SeRestorePrivilege	4504	vssvc.exe
Token: SeAuditPrivilege	4504	vssvc.exe
Token: SeBackupPrivilege	3912	wbengine.exe
Token: SeRestorePrivilege	3912	wbengine.exe
Token: SeSecurityPrivilege	3912	wbengine.exe
Token: 33	3308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeCreatePagefilePrivilege	1868	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
5484	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 1480	4176	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe	81
PID 4176 wrote to memory of 1480	4176	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe	81
PID 4176 wrote to memory of 1868	4176	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe	82
PID 4176 wrote to memory of 1868	4176	2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe	82
PID 1868 wrote to memory of 3504	1868	chrome.exe	83
PID 1868 wrote to memory of 3504	1868	chrome.exe	83
PID 3308 wrote to memory of 4696	3308	SearchIndexer.exe	110
PID 3308 wrote to memory of 4696	3308	SearchIndexer.exe	110
PID 3308 wrote to memory of 4292	3308	SearchIndexer.exe	111
PID 3308 wrote to memory of 4292	3308	SearchIndexer.exe	111
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 812	1868	chrome.exe	112
PID 1868 wrote to memory of 396	1868	chrome.exe	113
PID 1868 wrote to memory of 396	1868	chrome.exe	113
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114
PID 1868 wrote to memory of 4568	1868	chrome.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_cde50430be06aadb006fa52c27b716ea_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2d4,0x2d8,0x2dc,0x2a8,0x2e0,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e577ab58,0x7ff9e577ab68,0x7ff9e577ab78
    3⤵
    PID:3504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:2
    3⤵
    PID:812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:8
    3⤵
    PID:396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:8
    3⤵
    PID:4568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:1
    3⤵
    PID:4968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:1
    3⤵
    PID:3816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:1
    3⤵
    PID:5340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4392 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:8
    3⤵
    PID:5480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4192 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:8
    3⤵
    PID:5488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4188 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:8
    3⤵
    PID:5992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:8
    3⤵
    PID:6040
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5192
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5300
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5484
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x270,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:8
    3⤵
    PID:5512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2816 --field-trial-handle=1880,i,3956331447047873115,2498532245185132035,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4212

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1348

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:756

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2572

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4496

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2360

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5100

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3948

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:844

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d06f6813159ccbbd3691ba042d9f1fc9

SHA1
72f4b5c720243e5f78106e31ea17a6767916f7d7

SHA256
a57dc85bab0f21be5946ee885727963ecf96707eaf27c106c6329acaa13f3718

SHA512
d0203e66f6648dac2aac0855625adba5cb1acdedd9a0b66078625248e8fd1231c9a5c6486b25dfb4986f1290f71e16882daefcd3ad7b5d7ac8a91c83564aeca8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
497aaf624c1c8d6db74896a5c594b5eb

SHA1
1c71a52322d8adc5a641bdab071748f6775f28fa

SHA256
eb717bdacc1479a174d0945f8c91ba23e10bbbd1c3e078fa2f45a7d640fa4f2d

SHA512
59a88e818a2d38eef19a024bb644660e9f9e0f17a1b33d6c1cda3df590ada71d56126b4ba9b41f7c222d0981ccb45be33e1ea45914c6dba1b55bd43f4b7ad43b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a2632f9f05caedd4ddfb932cb5e3dfb6

SHA1
888313875682fac001b41ab9b9ca7012ded2542c

SHA256
4aa9ad76b5922d0838b183e7ac5a345b23ee7e21140d95359baf4b547080c36e

SHA512
215f44c570b319eef807ad8ae8d19027da4c9a6fe182188611ed635dfa304996771b75c38752c0da0a53c1d81788664be139877492476248944c4173e07ade42

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
77953f152e922345d21c622f35d70ce9

SHA1
3c247a9be2846d51f308c38e8768733a34027465

SHA256
6fee1a0cc6383b76f338cd27e63d793a05a06c048f9021bf43e88340e26c34d6

SHA512
68dfd29370e69fc12067ca2b766c2942565a37b3ca2b90416f03f666c4358fa794b448430635d73aa642a460837d718e83e47116318f99e462aaba8bd7fbc264

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
06e9c6ce9b9799664aa486b7723defc2

SHA1
e658f9ec426cce30851c6b0bc145cedda679f258

SHA256
c249f91ab2e93912b534220b6a553c632b7046e970275e68916257a00e76d82a

SHA512
bf0fcb2c9a28b9f5272ac2ede2c88e1fd6308422aa13db4b05881fb669342f280d5a90b766dc10c6e04048805ee6b7bf0c58051b0c6a35a03b58314caef6b06f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b9b90fdba11bbe541aed442dcced993b

SHA1
91df17d1a1bfa23cebc6e91a562c400767f7bc55

SHA256
e57386e5f7b1de91a74d8629b191b8400989550fe4530dcd1a0609f3d5f42dc1

SHA512
f64e8f57d14ff2408158a4432e43a33489783d7cf4b2980bb3bbd906395619dd8109975f02019848c43759b8cef05c290f16800ea55615b01abe512984b80f72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6de1b36db5e2678108b1c5e8c0b710e6

SHA1
364b8535706514523473ad330c1e419e88f6a780

SHA256
cb0eeb7c92c1c632422f211395c1f411968bf22ca6c53b5e2059c425aacaac6d

SHA512
927a725ec0f8817144133ff5053ee1fbc8a3b80cc5e1a4c418503b2d6d56f6355d006af4bad977b6c9ea062fdf2ac0581ad51d148154055ee0cecb3b0dbb7a83

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e044f807ad11bd7bf029a31bf078e191

SHA1
c0785bb1dbfda17dfdfe2213f6de053fe5c69cae

SHA256
c93bc7bf9f47e80c44bb43067e5c984607b4e898d5410eb5010ad62066c8e20c

SHA512
5f9624f05e37ef9e9bea8cb6307216e5030aa8b836f8b0ad2491074e414034067af1ebfd472338426c63af0142f27138e5ec2cc38d3518129b616871a2ccdb9c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f88dc11e7e6fa52e6e229dbf21e8745e

SHA1
3c0c01069d003e8052e219d0cb602b3d00db01ee

SHA256
75b736f7c1ec6c42cb4f6704f8e1bc27c08cd16e1f7a807b3ec539ba0bb4bda8

SHA512
66c75d2b66c171d540db43e67acd99b20a746c523f6118de3d436667c66a8bb94552cc55ea2ad3bc2aedeeaf2cfc003b48a140e3acc025836f6919a1b1764d70

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
28afdd11a5ede8fcbad2eab274da5b1e

SHA1
27eff4d676b4c53b59207459dfde1eccd9448005

SHA256
3c9ff2ce944df3aa0ef191325146e7aa5838312ee8877180667bb1c768ba9c19

SHA512
d98830ddfce1ac3ea0615198c5b0c9a403c74e98d31034df14bbbbb1728fb3c9d668f800a31672c2d1f7a4d069cd6123392016e19aac36725b779680e5d85f00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d6d7116799616da1c4c4a4d2a96b88c6

SHA1
2946e227256df9f4694a69c65107312adfd39013

SHA256
a09a8278806628f86a9cb81b84386327a9bbcfe4ab1aa9d0df203698ea193d0a

SHA512
c52dfa1877916039c92b9381f7c990adaca7f3c0faf8806a29aaf9fe5c16e64a5555142131daa855b08e7f6cc2cb097e955588792cc6b7be4d13c07c73da7f0a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f7a22de3784b7ffed691b9b2fa15363b

SHA1
b2e7942c47723b7ef4294662d591322d75989d11

SHA256
26d9c4c93b4dd4adfed876bac108a4f64acd6ccb7abfd9e77640c9f94376267d

SHA512
76f5c20722504a1408674770903a626f9458b2a7574946064104ba0fa1c862fbceb1d28d270af866830858e48ce5b2df64cdfe1313af7c733624142b06b90687

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6349916e48735cae2971db5720500c57

SHA1
c0dd79e525a355816497237802ad3c1233b6d5e3

SHA256
061b2cca045791225d62205bd6ca616695d89a0aca7cec20b06cfde82aca8676

SHA512
0926733dd019974a4c417938c7d66517a69e6edadbd8d0f8371f57eb77cbdd683021c066fd801159b21615fa5ce1536bf31628621862cb2182b00b6f9efceba1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3dbb7f7ed8ac6acef9a68228d1d7f533

SHA1
394c5d2ef0af43c0e5b75592b41b9334d80bd08c

SHA256
bea59e1fa8ec5884bb8e8c464f958ecf91cdb08b9c98f4bba913edc36352a9c0

SHA512
2465763b954909c7e284950b95085971b7598d6b12dedda860ab78420a97396537e830385f050b4bcf58e7d694ac47d766f5689251b9ffc0d6d8696519f623f0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c39616adfa71db3f48ff9a09e7378eac

SHA1
90d062e87894714c10a185b70dd6f6e693407cca

SHA256
adff6ea823f70b732923e79bef6b2e2842d3c890c0877b2c139e8b679f8ac6b0

SHA512
0428ea9533aab95c1cba48653b5c879cbb2af445d763d93ccdcc400682a94a8c0acb7aefa49da9f4a6cc5ab23b6faca0a36ccbca1d7f2610b521df81c5c40bbd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
19799460da3eaeadbfce01ad7305b29a

SHA1
4e604ab8f830b08bc52908b116a2a8d279ddb90b

SHA256
3a2a6b0a6026f5c5108d04e9eb4d64b6588894018a2fea6556144b76ad78131e

SHA512
c13ecdc1c6dcd5eaed6bc8ea3e8f5bd57df464e326bda95dd0b59e7bf521d2b155c850bd278dd8a65f98a6dcc1bf63ea0d320ddd38b90df3cb594111798c9f81

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a5871168-1c42-40fb-ad4a-db879879a5b8.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
22fa7e997abb55c5954ceb444b76ffdf

SHA1
5f5e8748d0133f3a2c3632071fc59dcc230fe52c

SHA256
4f3564c8e66738fc3433dc728d085441d59cfc3a75e19e43bf4358608af6f6b3

SHA512
1f21c688a118c853f3c19fd0133c8d0b935f5feed442d5978e0dbac1fe118b8645b53dd3e86878e4efa313154bac34e1e781a2cb9a5e087c77230e83dfb27221

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
813f5d233513b2f3e65fbb5ecfa821fc

SHA1
e980127b2f037671df1f765d4c0dd4c9bea79c74

SHA256
7b98b475c15c2ca1ce9e69f55adba1aec1e36caa5267403c65c0353d52429696

SHA512
2bbbd4be3a07edde61bfe122fd7fe92377bf05de5e560b81b2bfb49943710eaed9919558ead3559ccd75b5210a8f7566989963a10e6274e98cb28c7aa3721ce4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9b5b230f0701816e630621fb865a7090

SHA1
905f2b1d7db45f719f8ef2c2091e731bca04b740

SHA256
e70230c1277308f2289ba8cf9dab8309a2969da19ff73b37844c2b477d968e16

SHA512
217c10459c9f01454463884edf330abc9139c03acaa5137d01eb6170732c5207acca239a84d348d351dd6a180a7dce8db72794e71e20b8d015bf5c43fac0a4d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
004fbadd21f3b18cdc36290f1dc70009

SHA1
b2919558629177919048f81fc0b5ed81d899df77

SHA256
ed44d73a8509449697f0885af405ed9e07d91e81fb445cf13abbaff6f4827b0a

SHA512
c2dccbeede401fdecac903b7a9638ad3e74b7972f666bf99b928af593d7e06a0e00ec1f9b539d90b8a95ae1c5119e1bb97aa782da207b4facc4b14020139a04f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
77be35575206c1e0c7e25165182cf39d

SHA1
93f646d31ff188e870a0161682e77560569dc5a7

SHA256
a300adfab1658acaf32d9b078b495296e9e8e0efb9d6d229fefcc8beb6f03b7b

SHA512
6c4063e4cca74cc66ea6efcec25e0344f8f3109b9b1c5929ad1ad72017e87388f3dc8053a6a5e5ce1490d0283b315d9a7ea2f2e9a9c337133f73a15a3582671c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577d6d.TMP

Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
ee7a4389a7c7af0c1b14d90217e1dea4

SHA1
8401f10c9b336dab7c339a3f373d6e2e4126dda9

SHA256
22d8f755ece5206ad75d15c5b5b5780617cd2086888b36eca6c6feb0fb28948c

SHA512
0e0db5b2590ddd0ba09a9ec3aca290b6ddbc7dd6c385645a848ae93f3938690665b652205bae30c925df0891211c7615c03d227cf6703c6ae3ebca65385e68fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\da68bb68-5f7f-407e-8993-9dbca4ada8ab.tmp

Filesize
263KB

MD5
7bfeb03d2281d4783cb045575c35e31e

SHA1
d19d82c6bed92ce6221591f6d3b48c067b32e936

SHA256
45838e7668a9936bcc557f8234c448b7829083317ba126dad7f340e4c3d86332

SHA512
8bfaf14891e8bfb1ad44223c659eede4f5b191ac268f2c793654673bd59ecdc8e3c0f0c03be0c92c2b07c399c0bce89cc2475684d06f244c113f91321328c7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
a6d49a8443511d3c1b85319f31364589

SHA1
e73750d78c684913ce60fa083f56386da2febaba

SHA256
63df23891ceee320fa4a9f0585deeacea92a68d3fd6a6ddd9ba7ed8610a98bf5

SHA512
c6ddf517f9da06650d8118f21dd352cf0c9a9d5a1d9e79e9a1235570bdee81780aa73d55ab77609561890f0159d54840c9d1484554f3138605726a1f7ecec9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
171d8a5fc44e5742096cfc4a3b45b9b9

SHA1
9383df0009294a470e6dab6fab84f5f638779dd5

SHA256
e679e7fb3ed80a8f40f4d6258f249f1c4b944f29298d6313f0635ce1179432d5

SHA512
8a4b153a5c8a7871b4e654e7ac7e6332f789e8054cda3036d370419e6a392208cc31669295ec70ab457fe7d47874a19fe082633459fbfcb7f2c1ab1386cdacd5

Download Submit
C:\Users\Admin\AppData\Roaming\dcc3c9b8b4b1389a.bin

Filesize
12KB

MD5
c23fac117f56e804c0213890fd2995ed

SHA1
c058ba9db7f18de6a657f403b3e9038a190f049b

SHA256
9bc959959747f93f296b8c2903b3d109d260179cf9b72d37e5a4b222f422caf5

SHA512
c8fb72943ec710e7f7e35ff4db0283c72b55bad23aa494d0ba55b8383dddbb57ac54a4754329225a813ec8108cdf3b44ff823e47733e0628aaefa19d2b424ecc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b349c444ab4b070692e81526a6c58278

SHA1
a2ab5ee1df8e7b414f2c5453dc436d9da6bfde22

SHA256
4861943bff50ed0531bc2af1f07180e43357496a328436235a3c84a6eb2e9b2e

SHA512
cbff58ef6214eeebd985971f6b179480354b0afbda9bb2fe24917ba9934fa8a2dbc2ceddb4552e779d2917401ca24ce2f517d276e986ee08eb853d240520a089

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6beb86d45bb34346ca3a183379b9859b

SHA1
51c78eca05be987899757bd9f51bb28ae3ad9b21

SHA256
8b29ca36d31fb4d9822480e3f2a280c62d2a14c19b62d9229ea0bedd814af184

SHA512
fdeaf3c37b296674407f138ca18dd9ed7a4c6ca246bbbada3a2a587c12b360a3421f2545bec2a355a9584c9b2681a66638fe57e13a49df4f37a01c839e800000

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5a1b0a6db652547a781aa371e79d202d

SHA1
c61ad1496175be1c0c15b31fe3f78d115542158c

SHA256
f8a107b967693be1305d190be0c5a789fb2458f22df14ee54ac387d16d8fe7ce

SHA512
c8bd43e5d15a99c4a63f1aea46cb838f5714760d99d2a221ef6d1144b603a4ac2db414822131c65ec110bb990d6b4e51d59dd4cecddbc3c96857476b97651278

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
baab9d916a4401ea6ae3f53d27e00255

SHA1
1d948a018b0a8f2001bc74aaad6095bff57ac1ad

SHA256
6a36039d027dc522dd683bd13bfcbecb86cf58339a5fc462009ab9d0c4a2b931

SHA512
194188ca91700965270d9c9e40d187231d4e63ec86f0341e46ea3e398c2a2300048e36b2ee19e57824e083103001dabdacc13050ae24b0cb0586e0737a03ac2e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
51c3ae8ef393e4ab3507bc2c215d358a

SHA1
f8b53f1d11045db9cc1312de301c18ec76ac7380

SHA256
c1fb83ca4db82b09b7dca045e1f234cd5e17b198643a275428e8ab004f6ae63e

SHA512
f377646701a7ea62b4f9bdf085be7dbaf0a5bbdf04bbe273342d9944638cbfda1a8aae41f8fe819e479d515ce6b8b0d3893cb20538254713a7120712aeb8071e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4115827e8fb331bc0388529a641eb96b

SHA1
7e0ccb37cddb2d129070169fb41684b8c8d24662

SHA256
8f7659a94b90527f4f3e66845278a523c50773c49166b122fed1805646f56fca

SHA512
ebd49ea9e2d786303f5de3c897e139a6b08d3d59778a53b8b21872c1c58d404f0361715848c04613ba935dd72af539481b14dc148f778034fea101761c7553c2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
37c844dbdbced800040783b49f0d5a4b

SHA1
9f1321d1809bfa3ebe54aa88b6c576199c7358be

SHA256
2ac1795eea2bae069ac775729383bfa74d98bed28f403e8d0e1780ffbbf5b578

SHA512
6b3b52d9ece636f6f440ff8099afcadd8eda3965b23fa67771056ae8bd70e36743878c87c4072e0849a25ed6527250f3343a2c3a3eae0a18943231605084ae7e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5da99c2d47fca5af7f62192e0f620149

SHA1
b1cf7bc633411549cbe8f8c392be68abf4a2d869

SHA256
cc1330c4acd57dd446a79749353c20ec84b60079eff62f820eea4372c922fd02

SHA512
72b96d7e80109f4ea9e9ed1e579238f4d8727c5e0bb5f420f833fab429df09d97a2630d6b1174cbe8802422546847018dfdaa8365624febce2daa3b27dbe2d16

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
afae0431b126fff118d255d260e35715

SHA1
0551220993a09d49b004a67597da752c7ff671bb

SHA256
d52ae729d4884bc35b81eacd17ae02b275b4501ed2dfa2ccf1f5ef991ae53e33

SHA512
693f9a93ced31a6a18aa8178302ca4cc835a6da3d5eec4a2da2f247dd29b54035f9d933ae70ba62a6de109c6051177a297f4f244ab8784c943ef3f3fa2ad56c6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d657cd6e3df029d4761b800ae4515e8e

SHA1
90f6536a38f9a82247f66fd162a57371bcab7164

SHA256
4e2a559a9c0e285493243c947b044a3da23da649b6e6482d49c5f3dd119ad774

SHA512
d11f024e4bea60c95778ce5764ca1942c174ee79b3c5b311c0db1e73906517ca4d60cad9cbe98a9fd6cc287cb192476d11fb3bdf5a2442f35f9c26fb1e38e46e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c3e2316e087956dc5982d7205e41698c

SHA1
f65224721520fc262d677fcc33c7bd51587af404

SHA256
1678d60764ea8f50174e409439d6f42b05797a6c45e4e677768bc86af5127ae9

SHA512
c6b08ee39435f6a83d2bf0f75b842eefc9422f8baa405c37bb17be0b50092308fa084eda56b69ec9953b9da05fdc6bb50f8d52ef522e824e37d6c7b5e887fbc9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b5216bcd220e76fc255b2f59a403fc38

SHA1
7184418feba0fbb2590317387b8e0b7926a1127e

SHA256
bd5059b12aacdff2f86866284e5e9bed5a91afdf638c650320358316a25797f5

SHA512
ae681e60b52fec79b3349e7f0fad67ea48c1f203f713de06e3cb348aae39f711b4bd8fc0952954be863429a344577b8db72465f1dec9c9cfe208ecdb6738a4a3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e079fd686b810916b363f6c13c690ade

SHA1
7e5596479162d43f8ae86ca1bc1ec50c96d6ef7a

SHA256
a78ffaa2a949f9f017c367aa7db6f6aa0644303297645dab85adc05caee21ed3

SHA512
29e0c21745a2834aa23c03a5503843641f6f6a0e282d9370d043173a2deddacf4e2cd8dd075b8d212bd4dfd721cad01881a41b54669df66c28f6c1a5bba9f2fa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
681496973a58f6e5505a0fd1021d55f9

SHA1
81413738401484a3e10f443501809119c89627be

SHA256
c869ea69a7ef39c7889f59112c2be3be0ac5f599e9613466d7d54698804c02e0

SHA512
e40a9a6706ed53a1294aed3187707ccf7e8d1a6721ac8a8b415e94aa97c5764fa6949c5212a168d9028333dd6cc43c15c22fc2799477ceeee9e9512ec31489b9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7fa71a8bf71466d002908e1ff8c0d177

SHA1
ed3b4b2bbff5e1fe17ad0b21339069e51e5b3f45

SHA256
8aa6df398bc591d7ce92fd7428a9d72b4f04b68f9c017e60b85c94f5e328d161

SHA512
39a23d3a6d34720beb3187c93a27d74bc928870b9450da5aa2d9cb15fc88a22a32097133c75e1603393bce79847d717dad6ee13c77e57c15c96c59ab3f5b4ed7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
99a0549cf1bd762378a0101b108bc8b4

SHA1
5121e7ed0237459024ab7d5b4024482764396631

SHA256
66559ec9a1be1a6bcdb041fbfdbac105fd5be620a5ddb7a3bc4b8fbaae9abb12

SHA512
84fc8787f941d4b058e01e90124fcb9c4ab449a7b7275b2f801f8c02739b919cb4288066187d9bb5f3290fb73e4e8ad9a9f2b89d0bdcb0ef5d3baa9d3b56db79

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0c4ecc711136ce2a602e1269850f2e8d

SHA1
0fd00b0479db319e87bd4706167090d40194aa4e

SHA256
df953b7e17e4dd2968860d7210b1bc74f425d3d055533d258053f81436ffe923

SHA512
78fa703c18591ba8bcd9efe10215cb6587a1946c84b90624d7967fe8a69399f21a7a16e4e09cdd78f46f82759102391caa6bac9b8bf2fbab19aabd83737eef67

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2aad4f88c6bea4c7a5d259e230b7a1a5

SHA1
393f59ba4a3c2a012bed03d166dddc112445257a

SHA256
a0bf78986036a4bc115a765b3a8c18e087491972b53e683a358ea8fd098be39f

SHA512
5785bfa5f723f78018e2db80bdd5149aade5acd42ea64f61e859348dc13689f1cf7c2008b7c3c366cf1df7a513090064053afc44eaf718a7d66ce2c4085b8a41

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
61940667c02b18548ddbb272220444d6

SHA1
9851b9f7ab9e8debb78ff7e0a69902bd16f45600

SHA256
4c96a2119b839292f0307096d41a01b6a4996397560022376008eed01b1eaef0

SHA512
d28be0bcf3c469b6f61f0fcac8aba27312d0970b3eec870dc2420621874106a8a77bb0a18ce7e9b07ee514a973411ecc024479a8bda0c6eea3cc3a4d4ce3257d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3db756d89a86ada4200cb4ec090a7895

SHA1
aaf467835c679a89f5a5e0950fe040ca63dea67d

SHA256
dbc53f398af9e1fd8fb8dac8a647d6f1197cdf02dc7b3dc739c6574c44a5376e

SHA512
49df7eca0661c97d79cee04f26953ec03dc85e6e9c1bb2729b213bce370d894f78e9dfe87ae518d7f80fb36b19f35907f2a2144f919a16ab1b0a70793bbf4537

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1d5e81abe93c536c8bc6dc5ece700ce1

SHA1
5d5e4eec78bd3c31831921d0e8a07c2a12f0c9c6

SHA256
db7c457093a2a9f6b74ff657b3ed6316d08e6c26f2140682deeb0454c948a2e5

SHA512
103881b4d237151525019e57f6ed6349da52256115b05b672b3ec7559b23acff1b3097304a3c24343d1962358959478c5fa8fa4c7609a1149d0e8fd83a1479fe

Download Submit
memory/1056-238-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1088-640-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1088-242-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-236-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1348-626-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1348-49-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1348-37-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1348-30-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1480-581-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1480-11-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1480-17-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1480-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1716-241-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1808-689-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1808-327-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2136-240-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2176-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2320-50-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2320-632-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2320-41-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2320-40-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2360-233-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2572-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2572-639-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2572-230-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2572-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3220-235-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3308-690-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3308-328-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3912-326-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3948-239-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4176-28-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4176-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4176-0-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/4176-6-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/4496-232-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4504-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4656-89-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4656-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4716-72-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4716-66-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4716-434-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4716-231-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4732-62-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4732-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4732-75-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4732-56-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4744-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5100-237-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5100-530-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5192-553-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5192-602-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5300-741-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5300-557-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5468-742-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5468-582-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5484-568-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5484-591-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download